Authenticated access to directory indexes in Apache

You don’t want your media directories (images, css, javascript) to be anonymously browseable, right? But wouldn’t it be nice if you could browse them? Here’s how to do it:

<Directory /path/to/media>
    Options +Indexes
    Order Deny,Allow
    Allow from all
    Satisfy all
    <Files index.html>
        [authorization directives]

Depending on how your authentication mechanism works, you may also have to add a RewriteRule directive to deal with an explicit request for index.html:

RewriteRule ^/url/to/media/(.*/)?index.html$ /url/to/media/$1 [R,L]

In my case, using Shibboleth and mod_shib, authentication takes place on an external site and then redirects the client back. I’m guessing that because mod_dir is internally rewriting the URL from */ to */index.html, mod_shib is not handed the “original” URL (with just the trailing slash), but the DirectoryIndex URL.